Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

It is a stretch to even call that a vulnerability. It would be easier to trick a user into downloading and executing code themselves than to get them to drag a properly crafted image into the address bar and then use the url.

Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?

Journalists are scum when interpreting technical articles without experience or familiarity with the aspects compared-the report differed significantly from the site-article summary of it. Slashdot should be a collection of technical articles written by technical professionals for interested parties, but it has fallen to the scum of journalistic manipulations of information. On technical level, vulnerabilities in both are posted as significant user base has yet to update either or both the program (is it no

Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about

Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?

Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.

1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.

2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

This is similar to:SA12712

3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.

4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.

5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.

6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.

7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.

Successful exploitation requires that the malicious website is allowed to request installations.

8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.

9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.

2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).

i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too:P by outlining the window/tab that calls it. of course, even that could...

Or how about just stopping the javascript interpreter when the window isn't in focus. And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect. That would more or less cover all the cases, would it not?Regards,Steve

In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case [secunia.com]). Pretty much the time flow goes like:

vulnerabilities discovered; reported to mozilla.org

they sit for a while

eventually fixed and go into the next release

after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories

Secunia sees them and posts info on same advisories

people see Secunia with Mozilla vulnerabilities

And I know Secunia didn't come up with the list because

they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories

"Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."

I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).

The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.

They started rolling it out for windows only but they had the cancel it. Linux and Mac users were getting the windows only code and that was causing problems so it was disabled. It is now back for windows users.

The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

It looks like [mozillazine.org] they are aware of these problems and are working on them.

Asa mentioned something about server problems and activating the update for 1.0.1 later, and indeed it did show up today. Granted, it's a week since the release and that's a long time for security update... And windows-only apparently, though Linux users probably update trough their native package systems anyway.

It is certainly good that people are looking out for bugs, but Secunia didn't find these. They just compiled a list of known bugs that were fixed in 1.0.1. Their site is supposed to be a consolidated source for finding vulnerabilites and researching the security of applications, which means whether or not they find the vulnerabilites, they report on them.Regards,Steve

Ok.... IE has two major security issues inherent in its design and that is zone permission elevation while the other is ActiveX related.

Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.

Sure, you can copy-and-paste anything you want into your URL bar, and hit enter. This takes time, and thought, and you have to look at the string in two different places, so it's reasonably secure based on that.

The only security problems that could arise would be if there were links that you could click on, or bookmark them. Try it here [68k.org] (slashdot won't let you write chrome:// URLs unfortunately). It doesn't work.

There are tons of security measures related to XPI/XUL, the Firefox team has IMHO taken an OVERLY aggressive approach to XUL/XPI issues. You know why there are several extra steps required in Firefox to install an XPI plugin [mozdev.org]? Because there were some theoretical exploits where someone might ask a user to click on a place on the screen over and over (eg. hit the monkey), and then display the XPI dialog there, and the user might end up clicking "yes, please install" before they realized that they were running potentially suspicious code. So now users have to wait a few seconds before being able to click.

Users CAN actually configure their browser to let remote sites do just about anything [mozilla.org], include read/write files, change the clipboard, etc., because this is sometimes something that's useful that users might want from a few special sites. But it's a pain in the butt to get the several security configuration settings set properly, and again, as a developer, I think they might have overdone it.

The fact that you can't just click on a link doesn;t mean that this is not a problem. Yes there are security measures and barriers in place, but this is the *problem* not the solution.

Your see, the security barriers exist because you want to provide some functionality which is more trusted than others. This is part of the reason why IE is so darned insecure: It has too many of these security barriers.

Instead, the problem is that you have the problem that the security barriers are fundamentally permeabl

Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories [secunia.com] page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 [slashdot.org] has already been covered on Slashdot, and these vulnerabilites were announced then [mozilla.org].

I'm rather unimpressed with Firefox today. The update button popped up this afternoon yet the update itself was dated Feb. 25. I realize they didn't want a mass stampede to their server but that means a heck of a lot of people were unprotected (and remain unprotected) if they don't habitually check/. or Mozilla.org to see if there are new versions available.

They greeted this security update better than Microsoft usually does...but not much better.

The answer seems to be no. In advanced there is a button [check] (which does not work correctly, click multiple times). Maybe they should add torrent functionality to download signed updates or something similar.

Supposedly. By my reading of Asa's blog [mozillazine.org], if you use the en-US version (most of Slashdot), then you should be able to get an update. Specifically, check out the entries localized 1.0.1 updates [mozillazine.org] and another try at update [mozillazine.org].

However, I use the en-US version, and my Firefox refuses to auto-update. So it doesn't appear to be working for everyone. (I'm behind a firewall, if that matters.)

If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault

This is funny, but very true. The same goes for MS Office documents. If you open a Word document in a different version of MS Word and it gets fragged, it's not your fault, it is Microsoft's fault.

If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame. You should have "just used normal programs"...

By default, Firefox will only allow extensions (XPIs) to be installed from a whitelist of sites that starts out as (update.mozilla.org).

For you to become infested with spyware by viewing a web site, you either added that site to the whitelist, or you were a victim of an unreported security problem. Did you report the site that infected you to bugzilla.mozilla.org?

If someone in my organization came to me with that, I would have to reprimand them. As the creators of applications, we have to be focused completely on quality, but the reality is that there WILL be bugs and you have to plan for them.

Converse to your arguement, now that we have everyone completely committed to writing secure & quality code, we can stop code audits, QA, and pen testing, because hey, we have a committment to quality.Give me a break man, it's not nearly as clearly defined as you're maki

Secunia collectively rated the vulnerabilities as "Moderately Critical," and said that only Firefox has been fixed. Users should download the newest edition, Firefox 1.0.1, which was released last week.

The vulnerabilities have been corrected in Mozilla, but the patched edition, 1.7.6, has not yet been officially released. The same goes for Thunderbird, the Mozilla Foundation's free e-mail client, which is also susceptible to the bugs. Both Mozilla 1.7.6 and Thunderbird 1.0.1 should roll out this week, Mozi

That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).

I was actually expecting this. Firefox is an immature fork. One vulnerability eliminated is one less to be discovered later. It is inconvenient now, but should expedite relative maturity in the base. I am, however, still awaiting an automatic update for my installation of Firefox 1.0...;-)

The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1 [mozilla.org]

Your bank can and will ask you to confirm your password at random intervals via email.

If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.

And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....

Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..

Anyone else notice how now that Firefox has gotten pretty big, you're mostly hearing about firefox issues, rather thant he slew of IE issues that we used to be swarming over. In essence it makes sense as most/.ers have upgraded to Firefox, however it just seems to be working that way. I don't think that M$ could have gotten all of the kinks out of IE, so whats the deal?

you're right... I agree they attack Firefox while ignoring IE issues that were never addressed. So, in case anyone hasn't heard this: I just wanted to say IE sucks really bad, especially if you're on a Mac and they won't do anything useful.

I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.

(for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.

The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.

I would love to see how they actually find some of these vulnerabilities. Direct from secunia :
"The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar."
Dont think ive ever dragged anything from a web page in my life.. I maybe a newbie though (only been on the net since 1992..

I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago.
I told him I wouldn't believe it until I saw it on slashdot!:D

I see this as the beginning of what could be called a vulnerability war. We all know there are tons of bugs in any software that's actually released to the wild. With that said, the number of vulnerabilities that are found is really just a function of how hard people look.

Once found, if people want to be malicious about it, they'll release the vulnerability information to black hats, then the public, then the company(if at all). If bugs cause people to switch browsers, all that needs to be done is make su

Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might...

You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them... in fact, these holes have already been fixed.

Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.

Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?

I too have noticed that lately the/. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?

I only have this problem is only with the/. front page and no other page that I frequent.

I too have noticed that lately the/. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?

What?I never had a problem with slashdot. What exactly makes it "unreadable"?

Sometimes the stories or comments get shoved into the left nav. Sometimes the tables don't render at all leaving a largely blank page. This has been a problem since Netscape 7.0 came out (whatever version of mozilla that was.) In fact, when Slashdot put up the story about NS7 being release, I immediately downloaded it and just as quickly found the problem. I don't use windows much, but under linux, this has been a problem for

I've seen it on other sites as well. Something about table widths being set to 100% or something. On some sites, the main text table cell doesn't show up until there's a reload. The same ctrl- ctrl+ fixes those too or a reload. It's really annoying.

I also waited for Firefox to alert me that an update was available, both to be kind to the servers and to see how the update process worked. Yeasterday it alerted me to the update via a new icon next to the activity icon in the upper right of the window.

Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?